- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking another machine from another machine.
I need to block on server from communicating with another one within the same subnet. How would I do that from our FGT?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Likely the best way to do this is from the machine's own firewall settings. Technically, the Fortigate can only control/restrict traffic if that traffic is going through it; if you have two machines on the internal network, communicating via switches or both are on the same switch, the Fortigate may not even see that traffic. If the Fortigate was set in transparency mode you may have better options.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes sense. Thank you for responding.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you change the server's IP address to some value outside of the (common) subnet, and specify the FGT to be the gateway for this, all traffic to and from the server has to cross the FGT. You would create an 'internal -> internal' policy and have control over the routed traffic.
Think of the consequences and if nothing else stands in the way, it's feasable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
this what is written here is not 100% sure which means following:
- What is the reason behind that on a standard configuration on a FGT clients/server within the same subnet can comunicate each othere without going over the FGT?
The answer is following which means following command:
# config system interface
# edit [Name of the interface]
# set icmp-redirect enable
# end
This means "icmp-redirect" is enabled by default WHY? If y client A connected to the FGT and request's client B in the same subnet as client A what happens exactly (in a very short overview):
--> Client A request Client B with ARP Request because no ARP available local ("who has")
--> ARP request is reaching the FGT (Default GW IP of FGT) and FGT is Broadcasting itsefl "who has".
--> Client B is answer to FGT "I am" (including MAC Address)
--> FGT send's "icmp-redirect" to Client A including the MAC Address and information of "icmp-redirect" which means actually:
Here is the information "MAC/IP" and please Client B is in same subnet as you do not come to me go direct!
This is the reason the traffic goes not over the firewall because "icmp-redirect" is enabled Client A/B can comunicate direct and you do not need any Firewall Policy on the FGT. If you like to prevent this disable "icmp-redirect" and the FGT does not send to Client A a "icmp-redirect" and the traffic will go over the FGT (because of Default Gateway points the client to FGT) and you HAVE TO implement a Firewall Policy which allows traffic from Client A to B and viserverse etc. Of course if "icmp-redirect" is disabled and if Client A makes a static ARP entry of Client B local the traffic would also go direct and not over the FGT.
This in short words/overview why or what is responsible that intercomunication between clients within a subent directly connected to the FGT is possible or not as needs or not a Firewall Policy on a FGT. Be careful if you disable "icmp-redirect" and be aware that ALL traffic within a subnet is going over the FGT (performance).
hope this helps
have fun
Andrea
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I disagree, simply because of a PCs routing table. All traffic destined for the local subnet uses the local IP as the gateway.
C:\Users\rpatterson>netstat -r ... IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.151.250 192.168.151.121 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.151.0 255.255.255.0 On-link 192.168.151.121 266 192.168.151.121 255.255.255.255 On-link 192.168.151.121 266 192.168.151.255 255.255.255.255 On-link 192.168.151.121 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.151.121 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.151.121 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.131.24.4 Default 0.0.0.0 0.0.0.0 192.168.151.250 Default =========================================================================== ...
Basically, the Fortigate is removed from the routing equation by the local device.
My two cents...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's not complicated things; OP wanted to block one machine from another machine, on the same subnet: the simplest and easiest solution is to use the machine's own firewall for the blocking. IMHO. :)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dave Hall wrote:AgreedLet's not complicated things; OP wanted to block one machine from another machine, on the same subnet: the simplest and easiest solution is to use the machine's own firewall for the blocking. IMHO. :)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
